Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Cross-Site Scripting Bug Discovered on Amazon

According to a security researcher famous by nickname "SeeMe" said that a critical persistent cross-site scripting (XSS) flaw was found on Amazon.com (America's largest online retailer) on 30th Sept. 2010, as reported by xssed on 4th Oct. 2010.

As per the security experts, this flaw can be extremely hazardous as XSS weaknesses can be abused to embed illegitimate or malicious code into the actual web pages.

This XSS vulnerability is situated in the "Title" column of the form, which is used to publish new products in Amazon's catalog and to replicate the flaw, a Pro Merchant ($39.99) subscription is required otherwise the user cannot register his own item to the Amazon catalog.

This problem occurs because of the product title parameter not appropriately sanitizing the data passed through the flaw field, which in subsidiary permits the prospective cybercriminals to insert faulty code like persistent XSS in the resulting product page input.

The product's page is immediately displayed in Google SERPs (Search Engine Results Page) after the add-on of a new product, and pretty immediately in Amazon's search results as well. This implies that the infected product page was noticeable via Google, but it could have also been utilized to craft a convincing e-mail based phishing attack.

According to the reports, the researcher formed an evidence of concept listing, which encouraged an alert box with the user's session cookie, but he could have easily sent it to a remote website under his control.

Commenting on the whole issue Dimitris Pagkalos, Co-founder of the XSSed Project said that the attackers could make a new Pro Merchant account using stolen credit/debit cards' information and prove their identity by means of a public telephone or an unauthorized phone number. Innocent Amazon users are more prone to faulty XSS attacks that attack private and monetary information. In case if the attackers utilize a trendy keyword in the XSS attack vector, an even huge number of Amazon users could be infected, as reported by Softpedia on 4th Oct. 2010.

Related article: Cross Site Scripting and phishing Flaws in Microsoft IE 7

ยป SPAMfighter News - 10/14/2010

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page